Hi guys, On Sat, Feb 10, 2018 at 06:26:42PM +0100, Mateusz Małek wrote: > Hi everyone, > > I've narrowed down my problem down to the same commit as Tomek Gacek - > c2aae74f010f97a3415542fe649198a5d3be1ea8 (MEDIUM: ssl: Handle early data > with OpenSSL 1.1.1), so I guess it may be related. In my case, since upgrade > to 1.8, some responses from some backends (not sure what exactly triggers > the bug) do not have their headers modified (despite http-response > add-header and http-response del-header being set). > > Applying patch part-by-part, I got to a point where it seems that that was > caused by changes to ssl_sock_to_buf function in src/ssl_sock.c (lines > 396-431): > https://gist.github.com/mkwm/13dd32fe2b5ec21182f8a06a304228df#file-break-patch-L396-L431 > > Code at out_error label behave a bit differently from part removed in this > commit - namely, it sets conn->flags |= CO_FL_ERROR unconditionally, while > previously there was an additional check (skipping error flag setting if > errno was set to EAGAIN). My problems went straight away when I've changed > out_error to match old code. >
Thanks a lot for the detailed analyze, and sorry for the late answer. You're probably right, SSL_ERROR_SYSCALL shouldn't be treated as an unrecoverable error. So, what you basically did was something equivalent to the patch attached ? Thanks a lot ! Olivier
>From b423f94273be2c7040ce0861bd4a21617b4c5c2b Mon Sep 17 00:00:00 2001 From: Olivier Houchard <ohouch...@haproxy.com> Date: Tue, 13 Feb 2018 15:17:23 +0100 Subject: [PATCH] MINOR/BUG: ssl: Don't always treat SSL_ERROR_SYSCALL as unrecovarable. SSL_Raad() might return <= 0, and SSL_get_erro() return SSL_ERROR_SYSCALL, without meaning the connection is gone. Before flagging the conection as in error, check the errno value. This should be backported to 1.8. --- src/ssl_sock.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index aee3cd965..687133b0d 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -5452,7 +5452,9 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun ssl_sock_dump_errors(conn); ERR_clear_error(); - conn->flags |= CO_FL_ERROR; + if ((ret != SSL_ERROR_SYSCALL) || + (errno && errno != EAGAIN)) + conn->flags |= CO_FL_ERROR; goto leave; } -- 2.14.3